Today we published our Q2 figures covering the most relevant trends in the malware landscape. Some of the key points from this Q2 report includes:

Distribution of Banker Trojan families by prevalence in the market.

Distribution of Active malware by country (this entails PCs with active malware running in memory).

Spam levels fluctuated between 60% to 94% of all email on the Internet

Banker Trojans continue to be a prominent factor when taking into consideration Identity Theft. As covered in the report Banker Trojans experienced a 400% increase as opposed to other years which were significantly less. In addition Russian Banker Trojans remain strong in terms of the overall distribution by family.

In the first half of Q2 2008 we saw an emergence of SQL Injection attacks being used to conduct mass hacking campaigns in order to distribute as much malware as possible. In conclusion cyber-crime only continues to evolve and should not be ignored when implementing security at your organization. The report can be found here:

SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.

These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.

In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.

The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.

However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.

However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.

So exactly how do hackers gain access to web-sites without administrative privileges or by exploiting site specific vulnerabilities? Good question! It’s quite obvious that hackers are doing this through automation as it’s impossible to hack these sites manually. Some recent hacking campaigns have shown numbers in the range of 250,000 to 500,000 sites generically compromised almost overnight. What is not entirely clear is how they are gaining access to these sites at such a high rate without really customizing the attack on a site-by-site basis.

One theory is tools that incorporate the Google API framework to automate the tasks of discovering and validating if a site may be vulnerable to a SQL injection attack; a process that normally would require a visual inspection. An example of a query string that could be used is: intitle:”<iframe src=http”. This tool would also have the capability of constructing a specific injection routine to be performed against discovered targets. Certainly there are tools out there capable of conducting automated blind SQL Injection attacks including the discovery of vulnerable targets.

Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.

This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:

– Users have limited rights to the network

– Users can’t modify anything within the system directory

– Users must access the Internet through a secured proxy.

In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.

The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.

In the last few hours we have observed a high-profile hack in progress, which supposedly infected 10,000 web-sites with a script-based attack used to launch and execute malicious code. According to reports from several leading security firms the hack was orchestrated in a similar fashion to how the Miami Dolphins site was used to serve up malicious code to its viewers.

The web-sites supposedly pointed to a file which then executed malicious code on the user’s PC.

In the world of cyber-crime that is driven by an underground economy more and more of these web-based attacks will emerge targeting specific populations and in some cases the security vendor itself as seen recently with one of the top three security vendors in the world.

Because the attack was part of a global effort by hackers we suspect that perhaps hundreds or even thousands of users could have already been infected by the Trojan from different sites across the globe.

Today’s hackers are in it for the profit thus we recommend that consumers and business users alike check their PCs for malicious code before doing any online commerce that could be associated with this attack, the extend of which is uncertain. Today’s incident begs the question: what percentage of the Internet may already be laced with crime-ware?

Currently, buying decisions for security solutions are heavily influenced by the reviews and certifications they receive that measure product quality and effectiveness. These ratings, published by independent third parties, are oftentimes used as a barometer for how CIOs make buying decisions and whether they decide to go with one product over another.

What CIOs don’t realize however, is that the sources they have been depending on for these “valuable” second opinions, are using outdated and inaccurate testing methodologies, and therefore, providing a false sense of security. The current testing methodologies utilized by reviewers and independent third parties to verify that a product meets certain requirements mainly takes into perspective a small portion of the vendor’s protection model related to prevention capabilities for malicious code. Security products are being rated against their ability to catch known viruses via signature based defenses.

In addition, these tests do not take into consideration the vendor’s proactive capabilities, either through heuristics or behavioral-based technologies. Thus, current malware testing does not reflect the vendor’s actual capabilities to protect their customers from the most relevant security threats.Using these inaccurate testing methodologies, product reviewers are not looking at the entire picture and are only basing their ratings on a portion of the entire product’s detection capability.

If the reviews are not all-encompassing, conducted inconclusively and/or neglect to factor in all aspects of malware detection and prevention, the ratings will be skewed. The industry is addressing this problem through the formation of a standards group known as the Anti-Malware Testing Standards Organization—or AMTSO—in which Panda Security is a founding member. The objective of the AMTSO is to promote standards and best practices for correctly testing and evaluating the effectiveness of anti-malware solutions on the market. A vast number of other vendors including Microsoft, IBM, McAfee and Symantec are also a part of this group because they all recognize that significant improvements need to be made in the review process.

With the formation of the AMTSO, we hope that reviewers and independent third parties adopt the best practices developed for testing and evaluating anti-malware solutions—taking into consideration all parts of a vendor’s protection model and not just focusing on signature-based detection as the sole driver for product quality. By adopting these standards, reviews will become more encompassing of the entire product’s security capability and will offer a more authentic performance rating. This will benefit CIOs in the long term as they will be purchasing products on the basis of actual protection capabilities and not a pre-conceived notion that users are protected by the signature module.